FRSC NOTES Chapters

o Users can post messages or attach files (binaries) for download. o USENET service providers may emphasize anonymity and jurisdictional advantages. - Peer-to-Peer File Sharing (P2P) o A decentralized method of file sharing o Traditional file sharing involves a server hosting files accessed by clients. o Early file-sharing systems (like Napster) used centralized servers.  Liability issues due to copyright violations and centralized directories.  Response to liability concerns led to the elimination of centralized databases; users directly search for shared folders on the network. o Users as Both Server and Client:  P2P users connect to a shared network and act as both server and client.  Users independently share files without reliance on a central server.  When a user wants to download a file, software searches for other users with the desired file.  Users possessing the file contribute pieces to the recipient.  Software reconstructs the original file configuration from collected pieces.  Users, after downloading a file, become nodes in the network; they can then share the file they downloaded with others. Cyberstalking: - Internet enables exploitation, harassment, and bullying; anonymity contributes to bad behavior. - Considered a crime; definitions vary by jurisdiction. - Victims, mainly women, suffer prolonged attacks, impacting work, residence, and health. - Duration increases for intimate partner-related cases. - Stalking in the digital world can escalate to physical violence. - Cyberstalking Investigation o Initiate with victim interview and assess mental health issues. o Collect relevant information about harasser o Record names, addresses, usernames, email addresses, screen names, and social media locations. o Establish methods and timeline: how and when it started incl. what platforms were involved (physical and digital) o Obtain forensically sound copies of digital evidence o Start the chain of custody for evidence o Specific Artifact and Identification  Account usernames and IP addresses are crucial.  Subpoena required to obtain subscriber information in US  Information includes user details, access frequency, and IP address used. - Complications to Investigation: o Legal paperwork may freeze the account to prevent tampering. o Difficulty in cross-jurisdiction cases, especially if the service provider is outside the jurisdiction. o Sometimes impossible to proceed due to jurisdictional constraints.

Chapter Two Forensic Analysis Process Overview As a forensic investigator, a strategic approach is crucial for an efficient investigation. Understanding tools and processes, and critical thinking are key. The Forensic Analysis Process Five Subsets: 1. Pre-Investigation Considerations: - Determine capabilities, equipment, and budget. - Continuous updates and adjustments to technology changes. 2. Understanding Case Information and Legal Issues: - Familiarity with laws, legal decisions, and organizational policies. - Thorough preparation before starting an investigation. 3. Understanding Data Acquisition: - Determine hardware specifications for forensic examination. - Consideration of portable forensic workstations for fieldwork. 4. Understanding the Analysis Process: - Differentiate forensic workstations based on budget and case needs. - Importance of SSDs for high data throughput in forensic workstations. 5. Reporting Your Findings: - The importance of documentation in the forensic process. - Continuous improvement of response kits based on experience. Forensic Workstation: - Configuration depends on budget and case specifics. - Examples include TALINO workstations with varying specifications. - Higher-end configurations may enhance efficiency but depend on budget constraints. - Low end $5000 – High End $18,000 (plus added storage for forensic images) - One bottleneck that a forensic investigator may face with their forensic workstation is data transfer. - Use SSDs because they have much higher throughput than the typical spinning disk does. - A fast CPU and a large amount of RAM enable maximum performance for forensic analysis - These large machines are not usually portable so you’ll also need a forensic laptop - You will need to include Gigabit Ethernet on both workstations to communicate on the local area network. Response Kit: - Unique to each investigator, subject to improvement. - Includes documentary paperwork, pens, and storage containers to store digital evidence.

- Certifying organizations often require annual dues and yearly training for recertification - Certifications vary: tool/vendor-specific and tool-agnostic (use any tool) Certifications Available: - Certified Forensic Computer Examiner (CFCE) (Tool-Agnostic): [IACIS] - EnCase Certified Examiner (EnCE) (Tool-Specific): [OpenText] - ACE (Tool-Specific): [AccessData] - Computer Hacking Forensic Investigator (CHFI) (Tool-Agnostic): [EC-Council] - Global Information Assurance Certification (GIAC) (Tool-Agnostic): [GIAC] - Certified Forensic Mac Examiner (CFME) (Tool-Agnostic): [Sumuri] Preparation Beyond Training: - Understanding legal and case-specific information is vital for investigations. - Legal issues will be discussed in the following sections of the training. Understanding case information and legal issues - You must get information before even powering up your workstation to view digital evidence. This information can be gathered by asking the following questions form the person requesting services: o What is the nature of the investigation? For example, is it a narcotics case, homicide, or employee misconduct? o What digital evidence do you expect to find at the scene? i.e., investigator thinks you’re only looking for a single laptop, but at the scene you fing multiple laptops, multiple desktops, and many mobile devices. Initial info may be inaccurate so be prepared o What is the legal justification? For law enforcement—what is the rationale behind the search? Consent? A search warrant? It doesn’t matter whether it is written consent or a written search warrant: you need to read the search warrant and consent to understand the limits placed on the search. It may be physical limits within the scene or digital limits on what you can search for on digital devices. o Who are the subjects and suspects, and what roles do they play in the investigation? Unlikely you’ll have direct contact but if you do, try talking to them. If you can have a civil conversation with them, you may get additional information about the digital containers and the data. - Make sure the crime scene has been adequately documented and safe before going ahead with your investigation. For law enforcement, this will include removing extraneous personnel from the scene, restricting access, and allowing someone to record the scene. - Photograph everything for future reference and proceedings Understanding Data Acquisition: - After training and certification, having a forensic workstation, laptop, and response kit, the next step is data acquisition. - Volatile memory is a potential source of evidence often overlooked and lost in the past because of the practice “pull the plug”, where first responders would often pull the plug of a running computer in hopes of saving data.

 Physical & Logical: the software will mount the forensic image as a physical device and mount any logical partitions o Mount Method:  Block Device/Read Only: This will read the device as a block device, which means a Windows application that performs physical name querying can view the mounted device.  Block Device/Writable: No changes are made to the original evidence. It will save any changes you attempt to make in a cache file.  File System/Read-Only: The device as a read-only device that someone can view using Windows Explorer. - Analysis of Filesystem and OS: o Begin analysis of filesystem and operating system artifacts. o Operating system acts as a mediator between applications and hardware. o Filesystem is independent, tracks data storage and availability. o Analyze OS artifacts to determine user wrongdoing. o Once malware is ruled out, proceed to report investigation findings. Report your findings - Final Report: o Culmination of the entire investigative process. o Challenges: Explain technical findings to a non-technical audience. o Audience: Reports may vary based on intended readers (prosecutor, executives, third parties). - Details to Include: o Documentation essentials for thorough understanding:  Communication records with primary investigator, prosecutor, or executives.  Condition of evidence containers.  Storage device specifics (make, model, serial number, condition).  Personal identifiers for suspect, victim, witnesses.  Administrative details (forensic hardware, software used).  Detailed examination findings, even if no evidentiary value.  Glossary to define technical terms. - Report Structure: o Break into three primary sections:  Narrative.  Pertinent exhibits.  Supporting documentation. - Narrative: o Include an executive summary. o Explain what occurred, actions taken, and their significance. o Provide screenshots of artifacts with accompanying narratives. o Ensure screenshots focus on discussed artifacts. o Consider redaction for sensitive content. - Pertinent Exhibits:

o Emphasis on testing tools in a laboratory environment before field use to ensure expected results. o Documentation and Validation:  Stress on the importance of documenting steps and procedures during the creation and use of forensic boot media.  Validation of tools and procedures in the laboratory is recommended before applying them in the field.  Partial boots or missed steps can alter timestamps and create entries in logs, affecting the investigation. Creating a Bootable Forensic Device: o USB (8 GB or larger) and an ISO file for the desired operating system are needed. o Rufus, an open-source tool is used for creating bootable USB devices. o The user selects destination USB, the "live" operating system (e.g., Paladin), and partition scheme (MBR or GPT) through Rufus. o Format options are left as default, and the process is initiated by clicking START, resulting in a fully functional, bootable forensic environment. o Rufus: o supports different partition schemes, including MBR (Master Boot Record) and GPT (GUID Partition Table) o supports various file systems such as FAT32, NTFS, and exFAT, providing flexibility in formatting the USB drive. o Is user friendly o doesn't require installation. Users can run Rufus directly from the executable file o supports a range of OSs, including Windows, Linux, macOS, and others o designed to create bootable USB drives compatible with both UEFI and Legacy BIOS systems. o includes a bad block check feature to ensure the integrity of the target USB drive. Hard Drives: o Differentiates between physical drive storage devices and logical devices/volumes/partitions. o "C drive" refers to a logical partition and not a specific physical drive o Components of a hard drive include: o Platters: Circular flat disks coated with a thin layer of magnetic material and stacked on spindles. They are the primary surface where data is magnetically encoded and stored. o Spindles: Responsible for maintaining proper alignment and rotation of platters. A metal rod that is connected to a motor and spins platters at a high speed (5400-15k RPM). o Heads: Small delicate components that read and write data to the magnetic surface of the platter. Each platter has its own read/write head, and they are mounted on arms that can move across the surface of the platters. They operate closely but do not touch, relying on magnetic fields for data interaction.

Partition Identifiers: o Hexadecimal codes used to denote specific attributes or formats of partitions on storage devices. For example, DE may be used by Dell Power Edge Server utilities to mark a particular type of partition, while 07 is commonly associated with the NTFS filesystem. These identifiers help distinguish and recognize the characteristics or purposes of different partitions within the storage system. GPT (GUID Partition Table) Partitions: o GPT introduced as a partitioning scheme for newer storage devices, part of the UEFI standard replacing MBR. o Utilizes LBA and a protective MBR for backward compatibility. o No boot code in the protective MBR. MBR Structure: o MBR is located at sector zero of the hard disk and contains boot code, disk signature, and partition table. o Boot code (440 bytes), disk signature (4 bytes), and partition table (64 bytes) o The partition table restricts to four primary partitions, each represented by a 16-byte entry. o The last 2 bytes serve as the MBR signature marking the end. Volume Boot Record (VBR): o Each partition has a Volume Boot Record (VBR) at sector zero, used to boot the operating system in that volume. o VBR is an operating system-specific artifact and appears on unpartitioned devices like USB or floppy disks. GPT Partition Entries: o GPT partition entries typically found in physical sector 2. o Each entry is 128 bytes, providing information about the partitions. Hidden Areas: HPA and DCO: o The potential for hiding data in spaces outside normal partition boundaries arises from areas on a storage device that may not be readily visible or accessible through standard partitioning tools o Host Protected Area (HPA) and Device Configuration Overlays (DCO) are hidden areas created by manufacturers. o HPA's use for storing recovery and diagnostics tools, inaccessible to the user. o DCO as an overlay for creating standard sets of sectors on components to achieve uniformity. Filesystems Overview: o A filesystem acts as the intermediary between users and the hard drive, providing an organized and efficient way to store, retrieve, and manage data. Different operating

o System-generated alias creation conforming to SFN standards for LFNs. o Alias formatting with the first three characters post-extension becoming the extension. o Introduction to ~ character with a following number to differentiate LFN aliases. o Illustration of LFN directory entries with sequence bytes, sequence numbers, and the indication of the last entry. Recovering Deleted Files in FAT Filesystem: o Explanation of the process when a file is deleted in the FAT filesystem. o Persistence of file data despite deletion, with changes in the directory entry and file allocation table. o Detailed steps for recovering deleted files, including determining starting cluster, file size, and cluster size. o Examination of directory entry and file allocation table for a deleted file example. o Recovering deleted files by modifying file allocation table entries. o Considerations for recovering larger files with multiple clusters. o Handling fragmented files or overwritten data during the recovery process. o Replacing xE5 with another character in the directory entry and ensuring data integrity. o Relinking LFN to SFN during recovery and the importance of maintaining checksum consistency. Slack Space: o Introduction to slack space as the space between the logical end of a file and the cluster boundary. o Explanation of the significance of clusters and sectors in understanding file slack. o Emphasis on slack space containing remnants of previous files until overwritten. o Possibility of discovering evidence such as document files, digital images, chat history, or emails in slack space. Conclusion of FAT Filesystems Section: o Recap of FAT filesystem concepts, including VBR, FAT, data area, and directory entries. o Transition to the next topic, NTFS filesystem, marking the end of the FAT filesystem section. Understanding the NTFS Filesystem: o Introduction to NTFS as the default filesystem for Microsoft Windows operating systems. o Overview of NTFS addressing the shortcomings of FAT32 and designed for reliability and efficiency. o Initial design for the server environment and subsequent adoption in the commercial and consumer market.

o Overview of NTFS complexity with a focus on recording file metadata, marking occupied clusters, and managing allocation status. Chapter Five Timeline Analysis o Artifacts alone don't determine guilt/innocence. o Context matters - place artifacts within user and system activity context. o Case Example: o Accusations of child abuse. o Evidence: High Google searches about treating injuries. o Challenge: Multiple users on the same laptop. o Differentiating users: Analyzing internet history, social media use. o Outcome: Father found not guilty after attributing searches to the mother. o Timeline Analysis Evolution:  Early timeline analysis used rudimentary methods based on MAC times.  Limitation of MAC times: Inaccuracy when files moved, timestamps changed.  Modern approach: Use multiple sources for deeper understanding.  Super Timeline: Gathering data points from various sources.  Multiple Sources for Context:  Confirm MAC times with additional, less manipulable sources.  Event logs, filesystem logs, internet history provide context details.  Rob Lee's concept of a "super timeline" for extensive data points o Hard Drive Capacity and Investigations:  Increasing hard drive capacity leads to more data and logs.  Examine logs without needing to delve into file contents.  Forensic tools advancements: Single tools for timeline creation o Time Zone Considerations:  Date-times discussed, converted into UTC/GMT.  Awareness of dataset and storage time zones crucial.  Standard use of GMT/UTC in examinations. X-Ways Forensics Timeline Utility: o X-Ways Forensics: o Features robust timeline creation utility known as the event list. o Integrates multiple sources for comprehensive timeline compilation. o Data Compilation for Timeline: o X-Ways compiles data from various sources:  Filesystem-level timestamps.  Internal timestamps.  Browser histories.

 Event logs.  Registry hives.  Emails, among others. o Event List Functionality: o Initiating an event list organizes data chronologically. o Result: Detailed timeline showcasing the incident's sequence of events. o Timeline Benefits: o Offers copious amounts of information. o Facilitates a deep understanding of the investigated incident. o Scenario: Data Leak o Incident Overview:  Unauthorized post of a confidential spreadsheet on a competitor's website  Spreadsheet sourced from CFO Jean's computer.  Jean claims to have emailed the spreadsheet to President Allison upon her request o Key Details:  Spreadsheet: m57plan.xls  Spreadsheet MD5 Hash: e23a4eb7f2562f53e88c9dca8b26a153  Modified Time: 2008-JUL-20 01:28:03 GMT o Analysis Starting Point:  Focus on Jean's user account desktop.  Spreadsheet location: Desktop.  Spreadsheet timestamp aligns with Jean's email claim. o Timeline Analysis in X-Ways Forensics:  Access the event list icon in X-Ways Forensics.  Utilize the MD5 hash, filename, and timestamp as reference points.  Gather chronological events for detailed timeline analysis. o Objective: Verify Jean's claim through timeline analysis and understand sequence of events leading to the data leak. o Tool Selection:  Leverage X-Ways Forensics for its robust timeline creation utility.  Use the calendar option to look at the specific date and then search for the filename to see the activity that occurred  First result is showing a link created for the spreadsheet around 1:30am  You can then observe the recorded user activity from there.  You can see that Jean sent an email out and when you click on it you can view the email itself  You can see that it appears Jean has sent an email to Allison but really the email is going to Tuck Gorge  The file for Allison’s email has been compromised.  Using X-Ways we can see when it was compromised.  The investigation now shifts to Allison’s computer where multiple sources are identified as possibilities for the attack. Plaso

o A Python backend and framework for the log2timeline tool o log2timeline is a forensic tool that pulls out timestamps from a system and creates a database of all the events, also known as a super timeline. o Tools Supported by Plaso: o Activated by Command Line Interface (CLI) o Include:  image_export: will export file content from a device media image, or a forensic image  log2timeline: designed to extract chronological-based events from file, directories, forensic images, or devices. It will create a database file (.plaso) that can be then analyzed by a variety of tools  pinfo: a command line that is used to display information about the plaso database file (.plaso) such as when the user executed the tool, what options were used when the tool was run, what info was obtained, etc.  psort: a CLI tool that allows you to filter, sort, and conduct analysis on the contents of the plaso database file.  psteal : the final CLI command in the plaso framework. It combines the log2timeline and psort commands to extract and process events in a single step Network Analysis: o Analyzing log files, trace files, and the communication between users and their devices. Media Analysis: o Analyzing physical storage devices such as hard drives, SSD drives, thumb drives, or optical storage disks. o Examine the content, allocated space, and slack space o You are reverse engineering malicious code or analyzing the protection code for potential exports o Storage devices may contain four different data types to examine: o Allocated Space: space that files occupy and are recognized as being used o Unallocated Space: space that files do not occupy and are recognized as unused o Slack Space: when data is stored in a cluster but the data does not fill that cluster, the unused space is called slack space o Bad Blocks/Sectors/Clusters: space marked bad by the filesystem because of a defect. This space can be used to hide data from a casual inspection o The progression of media analysis: o Disk: physical storage devices o Volume: a container comprising of a single or multiple disks o Filesystem: used within the boundaries of volume and tracks file allocation and cluster use o Data Unit: the smallest allocation unit available to the filesystem, in most cases this is clusters. o Metadata: data about the data – including the modified, accessed and created date- time stamps, as well as other info that was tracked

String Search: o Used when you have a list of specific key words to search for o Keyword categories: o Generic: used in every case. i.e. a fraud keyword list or an illicit images keyword list o Case-specific: for a specific digital forensic investigation based on participants, locations, jargon/slang, email addresses, etc. o Avoid keywords that are overly generic of have multiple meanings o American Standard Code for Information Interchange: a character encoding scheme based initially on U.S. English and is limited to 256-character codes. o Unicode: developed to overcome limitations of ASCII. o Keyword searching can be powerful but has limitations because it can be too literal o Luckily there is an alternative search method known as pattern matching/regular expressions. Common symbols and their meanings: o Asterisk (*) E xample: ca*t will cause positive hits for ct, caat and caaat o Pound (#): this will match a number o Backslash (\): the following character will be interpreted literally o Caret(^): Match the start of the text. Example: ^123 will cause positive hits to start with 123 o Dollar Sign ($): Match the end of the text. Example 123$ will cause positive hits to end with 123 o Plus symbol (+): Repeat proceeding characters for one or more times. Example: ca+t will give positive results for cat, caat, and caaat o Curly bracket {…}: Repeat proceeding characters for X times (depends on value in bracket) o Brackets […]: Will match a single character in the brackets. Example: [b,c,d] will match on b,c, or d. o Brackets with Caret [^…]: Will match any character not in the brackets. Example: [^b,c,d] will match on any character that is not b,c, or d o Brackets range [..-..]: Will match ant character within the range selected o Dot (.): Can take the place of any character o Question Mark (?): The preceding character may/may not be present o Pipe (|): This matches any one character separated by the pipe. Example: br(ead|ake|east) will return matches for bread, brake, or breast. Recovering Deleted Data o When a file is deleted, the file system marks it as deleted but doesn't actually remove the data. The first character of the directory will change and when the filesystem reads the directory entries it will skip those entries. o Recovery Steps: o Identify the starting cluster of the deleted file. o Determine file size and cluster size from the file system's metadata.

o Examine the FAT to locate the clusters associated with the deleted file. o Recover deleted files by re-linking and restoring the FAT entries. o Undelete Process: o Change FAT entries from zeros to the original cluster values. o For larger files, update FAT entries to link clusters in sequence. o Cautionary Notes o Overwritten data is challenging to recover. o Fragmented files may require additional effort for recovery. o Long File Names (LFN) o Recovering files with LFN involves linking to Short File Name (SFN). o Maintain consistency in replacing deleted file characters. o Verification o Confirm the recovery by checking file attributes and content. o Re-link LFN to SFN for comprehensive recovery o Considerations: o Data in slack space may contain remnants of deleted files. o Timely recovery enhances the chances of successful data restoration. o Tool Usage: o Utilize hex editors and file recovery tools for the undelete process. o Exercise caution to avoid unintended changes during recovery. o LFN Recovery: o Re-establish checksums and link LFN to SFN for metadata integrity.